Data Processing Agreement (DPA)
עבריתLast updated: 16/03/2026
1. Parties
This Data Processing Agreement ("Agreement" or "DPA") is entered into between:
- Levor Technologies Ltd., Company No. _________, located at _________, Israel (the "Processor");
- The Customer, as defined in the Service Agreement (the "Controller").
This Agreement constitutes an addendum to the Master Service Agreement and governs the processing of personal data by the Processor on behalf of the Controller in connection with the LevoRustDesk platform services.
2. Definitions
| Term | Definition |
|---|---|
| Personal Data | Any information relating to an identified or identifiable natural person, as defined under the Israeli Privacy Protection Law, 5741-1981, and the GDPR. |
| Processing | Any operation performed on personal data, including collection, recording, storage, modification, retrieval, transfer, and deletion. |
| Data Subject | The individual to whom the personal data relates (Customer's employees, technicians, end-users of managed devices). |
| Controller | The entity that determines the purposes and means of processing personal data (the Customer). |
| Processor | The entity that processes personal data on behalf of the Controller (Levor Technologies Ltd.). |
| Sub-Processor | A third party engaged by the Processor to process personal data on behalf of the Controller. |
| Data Breach | A security breach leading to the destruction, loss, alteration, unauthorized disclosure of, or access to personal data. |
| Standard Contractual Clauses (SCCs) | Standard contractual clauses approved by the European Commission for international data transfers. |
3. Scope & Purpose of Processing
The Processor shall process personal data solely for the purpose of providing the LevoRustDesk platform services, which include:
- Remote device management and telemetry monitoring
- Remote desktop connectivity
- Technical support and helpdesk management
- AI chatbot for customer service
- Account, subscription, and billing management
- Connection analytics and reporting
The Processor shall not process personal data for any other purpose unless required to do so by applicable law, in which case the Processor shall inform the Controller in advance (to the extent permitted by law).
4. Categories of Data Processed
| Category | Details |
|---|---|
| User Account Data | Full name, email address, phone number, company name, role |
| Device Telemetry | Hardware specifications (CPU, RAM, GPU), installed software, disk usage, network information |
| Connection Logs | Session data, timestamps, IP addresses, connection duration |
| Support Tickets & Chat Messages | Ticket content, chat messages with technicians and AI chatbot |
| Payment Information | Processed by ICount; the Processor does not store credit card details |
Data Subjects: Customer's employees, technicians, end-users of managed devices.
5. Processor Obligations
5.1 Documented Instructions
The Processor shall process personal data only on the basis of documented instructions from the Controller, as set out in this Agreement and the Master Service Agreement.
5.2 Confidentiality
The Processor ensures that all personnel authorized to process personal data are bound by confidentiality obligations or are subject to an appropriate statutory duty of confidentiality.
5.3 Security Measures
The Processor implements the following technical and organizational security measures:
- Transport Encryption: TLS 1.2+ for all communications
- Password Hashing: bcrypt with unique salt
- Two-Factor Authentication (2FA): TOTP with authenticator app
- Role-Based Access Control (RBAC): Four permission levels
- Audit Logging: Comprehensive logging of all operations
- Encryption at Rest: Database and sensitive data encryption
- Account Lockout: Automatic lockout after failed attempts
- Rate Limiting: Protection against brute-force attacks
5.4 Sub-Processor Management
The Processor shall not engage an additional Sub-Processor without the prior general written authorization of the Controller. The Processor shall notify the Controller of any intended changes to Sub-Processors at least 30 days in advance, providing the Controller an opportunity to object.
5.5 Assistance with Data Subject Rights
The Processor shall assist the Controller in fulfilling data subject requests for access, rectification, erasure, restriction of processing, data portability, and objection to processing, within a reasonable timeframe.
5.6 Data Breach Notification
In the event of a personal data breach, the Processor shall notify the Controller within 72 hours of becoming aware of the breach. The notification shall include:
- A description of the nature of the breach, including the categories and approximate number of data subjects affected
- The name and contact details of the data protection officer or contact point
- A description of the likely consequences of the breach
- A description of the measures taken or proposed to address the breach
5.7 Return & Deletion
Upon termination of the service agreement, and at the Controller's choice, the Processor shall return all personal data or delete it within 30 days, unless retention is required by applicable law. The Processor shall provide written confirmation of deletion upon request.
6. Sub-Processors
The Controller approves the following Sub-Processors:
| Sub-Processor | Location | Purpose | Data Processed |
|---|---|---|---|
| ICount Ltd. | Israel | Payment processing | Name, email, billing details |
| OpenAI Inc. | USA | AI chatbot | Chat messages, device names, device IDs, support information (may include PII) |
| RustDesk Infrastructure | Israel / Germany | Connection relay server | Device IDs, connection data, IP addresses |
| Hosting Provider | As configured | Server hosting | All data stored on the platform |
An up-to-date list of Sub-Processors is available at any time upon request at dpa@levor.io.
7. International Data Transfers
Personal data is primarily stored in Israel. Israel is recognized by the European Commission as providing an adequate level of protection for personal data.
In the event of data transfers to countries outside Israel/the European Economic Area (EEA) that are not recognized as providing an adequate level of protection, the Processor shall ensure one of the following safeguards:
- Standard Contractual Clauses (SCCs) approved by the European Commission
- An Adequacy Decision by the Commission
- Other appropriate safeguards recognized under the GDPR
Regarding OpenAI: Data transferred to OpenAI may include chat message content, device names, device identifiers, and support information entered by the user during conversations. We work to minimize PII exposure and SCCs are in place between the Processor and OpenAI.
8. Data Subject Rights
The Controller may exercise the following data subject rights through the portal or by direct request:
- Right of Access: View all stored personal data
- Right to Rectification: Update and correct inaccurate data
- Right to Erasure: Request deletion of data ("Right to be Forgotten")
- Right to Restriction: Restrict processing under certain circumstances
- Right to Portability: Receive data in a structured format (GDPR export)
- Right to Object: Object to processing under certain circumstances
Requests can be submitted by contacting dpa@levor.io or through the portal dashboard (Profile → Export Data / Delete Account).
9. Audit Rights
The Controller may audit the Processor's compliance with the obligations under this Agreement, subject to the following conditions:
- Prior written notice of at least 30 days
- The audit shall be conducted during normal business hours
- The Controller shall bear the costs of the audit
- The audit shall not compromise the security of data or the privacy of other customers
- Third-party audit reports (SOC 2, ISO 27001) may be accepted as an alternative
The Processor shall provide reasonable information and documentation demonstrating compliance with this Agreement.
10. Term & Termination
This Agreement takes effect upon commencement of use of the service and remains in force as long as the Processor processes personal data on behalf of the Controller.
Upon termination of the Service Agreement:
- The Processor shall cease processing personal data
- Personal data shall be returned or deleted within 30 days, at the Controller's choice
- Data required to be retained by law shall be retained solely in accordance with legal requirements
11. Liability
Each party's liability under this Agreement is subject to the limitations of liability set out in the Master Service Agreement, to the extent permitted by applicable law.
Each party shall indemnify the other party against damages, costs, and claims arising from a breach of its obligations under this Agreement.
12. Governing Law & Jurisdiction
This Agreement is governed by the laws of the State of Israel, including the Privacy Protection Law, 5741-1981, and the Privacy Protection Regulations (Data Security), 5777-2017.
To the extent the service is provided to data subjects in the European Union, the provisions of the GDPR (General Data Protection Regulation, EU 2016/679) shall also apply.
Exclusive jurisdiction shall be vested in the competent courts of the Tel-Aviv District, Israel.
13. Contact
For questions, requests, or objections regarding personal data processing:
- Email: dpa@levor.io
- Privacy: privacy@levor.io
- Company: Levor Technologies Ltd.